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Abstract — This paper studies the H2 (Kalman) filtering 
problem in the situation where a signal estimate must be 
constructed based on inputs from individual participants, 
whose data must remain private. This problem arises in 
emerging applications such as smart grids or intelligent 
transportation systems, where users continuously send data 
to third-party aggregators performing global monitoring or 
control tasks, and require guarantees that this data cannot 
be used to infer additional personal information. To pro- 
vide strong formal privacy guarantees against adversaries 
with arbitrary side information, we rely on the notion 
of differential privacy introduced relatively recently in the 
database literature. This notion is extended to dynamic 
systems with many participants contributing independent 
input signals, and mechanisms are then proposed to solve 
the H2 filtering problem with a differential privacy con- 
straint. A method for mitigating the impact of the privacy- 
inducing mechanism on the estimation performance is 
described, which relies on controlling the Hoc norm of 
the filter. Finally, we discuss an application to a privacy- 
preserving traffic monitoring system. 

I. Introduction 

In many applications, such as smart grids, population 
health monitoring, or traffic monitoring, the efficiency of 
the system relies on the participation of the users to pro- 
vide reliable data in real-time, e.g., power consumption, 
sickness symptoms, or GPS coordinates. However, for 
privacy or security reasons, the participants benefiting 
from these services generally do not want to release 
more information than strictly necessary. Unfortunately, 
examples of unintended loss of privacy already abound. 
Indeed, it is possible to infer from the trace of a 
smart meter the type of appliances present in a house 
as well as the occupants' daily activities [1], to re- 
identify an anonymous GPS trace by correlating it with 
publicly available information such as location of work 
[2], or to infer individual transactions on commercial 
websites from temporal changes in public recommenda- 
tion systems [3]. Providing rigorous guarantees to the 
users about the privacy risks incurred is thus crucial 
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to encourage participation and ultimately realize the 
benefits promised by these systems. 

In our recent work [4], we introduced privacy con- 
cerns in the the context of systems theory, by relying 
on the notion of differential privacy [5], a particularly 
successful definition of privacy used in the database liter- 
ature. This notion is motivated by the fact that any useful 
information provided by a dataset about a group of peo- 
ple can compromise the privacy of specific individuals 
due to the existence of side information. Differentially 
private mechanisms randomize their responses to dataset 
analysis requests and guarantee that whether or not an 
individual chooses to contribute her data only marginally 
changes the distribution over the published outputs. As a 
result, even an adversary cross-correlating these outputs 
with other sources of information cannot infer much 
more about specific individuals after publication than 
before [6]. 

Most work related to privacy is concerned with the 
analysis of static databases, whereas cyber-physical sys- 
tems clearly emphasize the need for mechanisms work- 
ing with dynamic, time- varying data streams. Recently, 
information-theoretic approaches have been proposed to 
guarantee some level of privacy when releasing time 
series [7], [8]. However, the resulting privacy guarantees 
only hold if the statistics of the participants' data streams 
obey the assumptions made (typically stationarity, de- 
pendence and distributional assumptions), and require 
the explicit statistical modeling of all available side 
information. This task is impossible in general as new, 
as-yet-unknown side information can become available 
after releasing the results. In contrast, differential privacy 
is a worst-case notion that holds independently of any 
probabilistic assumption on the dataset, and controls the 
information leakage against adversaries with arbitrary 
side information [6]. Once such a privacy guarantee 
is enforced, one can still leverage potential additional 
statistical information about the dataset to improve the 
quality of the outputs. 

In this paper, we pursue our work on differential 
privacy for dynamical systems [4], by considering the 
V.2 filtering problem (or steady-state Kalman filtering) 
with a differential privacy constraint. In this problem, 
the goal is to minimize an estimation error variance for 



a desired linear combination of the participants' state 
trajectories, based on their contributed measurements, 
while guaranteeing the privacy of the individual signals. 
In contrast to the generic filtering mechanisms presented 
in [4], we emphasize here how a model of the par- 
ticipants' dynamics can be leveraged to publish more 
accurate results, without compromising the differential 
privacy guarantee if this model is not accurate. Section 
provides some technical background on differential 
privacy and Section [TIT] describes a basic mechanism 
enforcing privacy for dynamical systems by injecting 
additional white noise. As shown in [4], accurate pri- 
vate results can be published for filters with small 
incremental gains with respect to the individual input 
channels. This leads us in Section [TV] to present a 
modification of the standard Kalman filter, essentially 
controlling its norm simultaneously with the steady- 
state estimation error, in order to minimize the impact 
of the privacy-inducing mechanism. Finally, Section [V] 
describes an application to a simplified traffic monitoring 
system relying on location traces from the participants to 
provide an average velocity estimate on a road segment. 
Most proofs are omitted from this extended abstract and 
will appear in the full version of the paper. 

II. Differential Privacy 

In this section we review the notion of differential 
privacy [5] as well as a basic mechanism that can be used 
to achieve it when the released data belongs to a finite- 
dimensional vector space. We refer the reader to the 
surveys by Dwork, e.g., [9], for additional background 
on differential privacy. 

A. Definition 

Let us fix some probability space (fl,J-, P). Let D 
be a space of datasets of interest (e.g., a space of data 
tables, or a signal space). A mechanism is just a map 
M : D x fl — > R, for some measurable output space R, 
such that for any element d G D, M(d, •) is a random 
variable, typically writen simply M(d). A mechanism 
can be viewed as a probabilistic algorithm to answer a 
query q, which is a map q : D — > R. In some cases, we 
index the mechanism by the query q of interest, writing 
M q . 

Example 2.1: Let D = M", with each real-valued 
entry of d G D corresponding to some sensitive infor- 
mation for an individual contributing her data. A data 
analyst would like to know the average of the entries of 
d, i.e., her query is 



As detailed in Section II-B a typical mechanism M, 



to answer this query in a differentially private way 
computes q(d) and blurs the result by adding a random 
variable Y : -> K 



M q :Dx!J 



M q (d) 



1 



»=i 



dt+Y. 



D 



q(d) = - 



i=l 



Note that in the absence of perturbation Y, an adversary 
who knows n and dj,j > 2, can recover the remaining 
entry d\ exactly if he learns q(d). This can deter 
people from contributing their data, even though broader 
participation improves the accuracy of the analysis and 
thus can be beneficial to the population as a whole. 

Next, we introduce the definition of differential pri- 
vacy. We call a measure /.i on R ^-bounded if it is a 
finite positive measure with /i(R) < S. Intuitively in 
the following definition, D is a space of datasets of 
interest, and we have a binary relation Adj on D, called 
adjacency, such that Adj(d, d') if and only if d and d' 
differ by the data of a single participant. 

Definition 1: Let D be a space equipped with a binary 
relation denoted Adj, and let (R,A4) be a measurable 
space. Let e, S > 0. A mechanism M : D X Q — > R 
is (e, <5) -differentially private if there exists a ^-bounded 
measure /i on (R,M) such that for all d, d! G D such 
that Adj(d, d') and for all S G M, we have 

P(M(d) eS)< e e P{M{d') eS) + fi(S). (1) 

If S = 0, the mechanism is said to be e-differentially 
private. 

This definition is essentially the same as the one 
introduced in [5] and subsequent work, except for the 
fact that n(S) in ([Tji is usually replaced by the constant 
S. The definition says that for two adjacent datasets, the 
distributions over the outputs of the mechanism should 
be close. The choice of the parameters e, 5 is set by 
the privacy policy. Typically e is taken to be a small 
constant, e.g., e sa 0.1 or perhaps even In 2 or In 3. 
The parameter 5 should be kept small as it controls the 
probability of certain significant losses of privacy, e.g., 
when a zero probability event for input d! becomes an 
event with positive probability for input d in ([TJ. 

Remark 1: The definition of differential privacy de- 
pends on the choice of er-algebra A4 in Definition [T] 
When we need to state this cr-algebra explicitly, we 
write M : D x ft — > (R,M). In particular, this cr- 
algebra should be sufficiently "rich", since (JTJ) is trivially 
satisfied by any mechanism if M. = {0, R}. 

A useful property of the notion of differential privacy 
is that no additional privacy loss can occur by simply 
manipulating an output that is differentially private. This 



result is similar in spirit to the data processing inequality 
from information theory [10]. 

Theorem 1 (resilience to post-processing): Let Mi : 
D x Q — > (Ri,A^i) be an (e, (5) -differentially private 
mechanism. Let M 2 : D x Q — > (R 2 ,A4 2 ) be another 
mechanism such that for all S 1 G M.i, there exists a 
nonnegative measurable function f$ such that for all 
d £ D, we have 

P(M a (d) G S|Mi(d)) = fs(Mi(d)),Vd £ D. (2) 

Then M 2 is (e, (5) -differentially private. 

Remark 1: Suppose that M\ takes its values in a 
discrete set. Then the condition (|2]i says that the con- 
ditional distribution P(M 2 (d) G S\M Y (d) = mi) for 
a given element mi does not further depend of d. In 
other words, a mechanism M 2 accessing the dataset 
only indirectly via the output of M\ cannot weaken the 
privacy guarantee. Hence post-processing can be used to 
improve the accuracy of an output, without weakening 
the privacy guarantee. 

B. A Basic Differentially Private Mechanism 

A mechanism that throws away all the information 
in a dataset is obviously private, but not useful, and in 
general one has to trade off privacy for utility when 
answering specific queries. We recall below a basic 
mechanism that can be used to answer queries in a 
differentially private way. We are only concerned in this 
section with queries that return numerical answers, i.e., 
here a query is a map q : D — » R, where the output 
space R equals K fc for some k > 0, is equipped with 
a norm denoted || • ||r, and the er-algebra M. on R is 
taken to be the standard Borel cr-algebra, denoted TZ . 
The following quantity plays an important role in the 
design of differentially private mechanisms [5]. 

Definition 2: Let D be a space equipped with an 
adjacency relation Adj. The sensitivity of a query q : 
D — > R is defined as 

A R q := max \\q(d) - q(d')\\ R . 

d,d':Adj(d,d') 

In particular, for R = M. k equipped with the p-norm 

/ 1 \ 1 lv 

IWIp = [J2i=i \ x i\ P ) ,fovp£ [1, 00], we denote the 
l v sensitivity by A p q. 

A differentially private mechanism proposed in [11], 
modifies an answer to a numerical query by adding 
iid zero-mean noise distributed according to a Gaussian 
distribution. Recall the definition of the Q-function 

1 f°° 
Q(x) := —= / e 2 du. 

The following theorem tightens the analysis from [11]. 



Theorem 2: Let q : D — > K. be a query. Then the 
Gaussian mechanism Mq : D x £1 — > M. k defined by 
M q (d) = q(d) + w, with w - Af (0, a 2 I k ), where 
g > ^t(K + VK 2 +2e) and K = Q^ 1 {S), is (e,5)- 
differentially private. 

For the rest of the paper, we define 

k(S, e) = —{K+ VK 2 + 2e), 

so that the standard deviation a in Theorem |2] can 
be written <r(S, e) = k(c, (5)A 2 g. It can be shown 
that k(S, e) behaves roughly as (9(ln(l/(5)) 1 / 2 /e. For 
example, to guarantee (e, <5)-differential privacy with 
e = m(2) and 5 = 0.05, we obtain that the standard 
deviation of the Gaussian noise introduced should be 
about 2.65 times the £ 2 -sensitivity of q. 

III. Differentially Private Dynamic Systems 

In this section we review the notion of differential 
privacy for dynamic systems, following [4]. We start 
with some notations and technical prerequisites. All 
signals are discrete-time signals and all systems are 
assumed to be causal. For each time T, let Pt be the 
truncation operator, so that for any signal x we have 

V ; [0, t>T. 

Hence a deterministic system Q is causal if and only 
if P T Q = P T QP T . We denote by l™ e the space of 
sequences with values in W 11 and such that x £ £™ e 
if and only if P^x has finite p-norm for all integers T. 
The H2 norm and Hoo norm of a stable transfer function 
Q are defined respectively as 

11011a = f ^AQ*{e^)Q{e^))d^\ 
Halloo = ess sup cr max (C?(e 1 ")), 

CJ£ [— -7T,7r) 

where a ma , x (A) denotes the maximum singular value of 
a matrix A. 

We consider situations in which private participants 
contribute input signals driving a dynamic system and 
the queries consist of output signals of this system. We 
assume that the input of a system consists of n signals, 
one for each participant. An input signal is denoted u = 
(til, • ■ • i u n), with m £ ^™ i e for some rrii £ N and ri £ 
[l,oo], A simple example is that of a dynamic system 
releasing at each period the average over the past I 
periods of the sum of the input values of the participants, 
i.e., with output j 2~2k=t-l+i 2~2i=i u i-k at ti me t For 
r = (ri, . . . , r n ) and m — (mi, . . . , m n ), an adjacency 
relation can be defined on Z™ e = H^ 1 e x . . . x £™" e 




Fig. 1. Two architectures for differential privacy, (a) Input perturba- 
tion, (b) Output perturbation. 

by Adj («,«,') if and only if u and u' differ by exactly 
one component signal, and moreover this deviation is 
bounded. That is, let us fix a set of nonnegative numbers 
b = (pi,..., b n ), bi > 0, and define 

Adj fc (u, u') iff for some i, ||ttj — u' i \\ Ti < bi, (3) 
and uj — u'j for all j ^ i. 

Note that in Q two signals u,*, u\ are considered differ- 
ent if there exists some time t at which u,, f ^ u\ t . 

A. The Dynamic Gaussian Mechanism 

Recall (see, e.g., [12]) that for a system F with inputs 
in £J? e and output in £™ e , its i r -to-i s incremental gain 
7™ C (-F) is defined as the smallest number 7 such that 

\\P T Fu-P T Fu'\\ s < j\\P T U-P T u'\\ r , Vtt.u' € £™, 

for all T. Now consider, for r = (r 1; . . . , r n ) and m = 
(mi, . . . , m n ), a system Q defined by 

n 

Q(ui,...,u n ) = y^^GjUj, (4) 

i=l 

where & : £™* e -> tf' e , for all 1 < i < n. 

Theorem 3: Let Q be defined as in Q and con- 
sider the adjacency relation Then the mechanism 
Mu — Qu + w, where w is a white noise with wt ~ 
Af(0, <r 2 I m >) and cr > n(6, e) maxi<i<„{7™ c 2 (^) 
is (e, <5)-differentially private. 

Corollary 1: Let t/ be defined as in Q with each 
system Qi linear, and = 2 for all 1 < i < n. 
Then the mechanism Mu = Qu + w, where w is a 
white Gaussian noise with w t ~ M(0,a 2 I m ') and ct > 
k(5, e) maxi< i < n {||^ i || 0O 6J, is (e, 5) -differentially pri- 
vate for ([3]). 

B. Filter Approximation Set-ups for Differential Privacy 

Let ri — 2 for all i and ^ be linear as in the Corollary 
n] and assume for simplicity the same bound b\ — . . . — 
\r n = £ for the allowed variations in energy of each input 
signal. We have then two simple mechanisms producing 



a differentially private version of Q, depicted on Fig. [T] 
The first one directly perturbs each input signal ui by 
adding to it a white Gaussian noise w, with Wij ~ 
Af(0,a 2 I mi ) and a 2 = K(S,e) 2 £. These perturbations 
on each input channel are then passed through Q, leading 
to a mean squared error (MSE) for the output equal to 
K (S,e) 2 £\\Q\\ 2 = K(8,e) 2 £YZ = i\\Gi\\l Alternatively, 
we can add a single source of noise at the output of 
Q according to Corollary [T] in which case the MSE 
is k(8, e) 2 £ maxi^i^nlll^ilj^}. Both of these schemes 
should be evaluated depending on the system Q and the 
number n of participants, as none of the error bound is 
better than the other in all circumstances. For example, 
if n is small or if the bandwidths of the individual 
transfer functions Qi do not overlap, the error bound for 
the input perturbation scheme can be smaller. Another 
advantage of this scheme is that the users can release 
differentially private signals themselves without relying 
on a trusted server. However, there are cryptographic 
means for achieving the output perturbation scheme 
without centralized trusted server as well, see, e.g., [13]. 

Example 3.1: Consider again the problem of releas- 
ing the average over the past I periods of the sum of the 
input signals, i.e., Q = Y2?=i @i w i m 

1 * 

(QiUi)t = j J]] Ui,k) 
fc=t— i+1 

for all i. Then \\Qi\\\ — I /I, whereas ||0j||oo — L for all 
i. The MSE for the scheme with the noise at the input is 
then k(5, e) 2 £n/l. With the noise at the output, the MSE 
is k(S, e) 2 £, which is better exactly when n > I, i.e., the 
number of users is larger than the averaging window. 

IV. Kalman Filtering 

We now discuss the Kalman filtering problem subject 
to a differential privacy constraint. With respect to the 
previous section, for Kalman filtering it is assumed 
that more is publicly known about the dynamics of 
the processes producing the individual signals. The goal 
here is to guarantee differential privacy for the individual 
state trajectories. Section [Vj describes an application of 
the differentially private mechanisms presented here to 
a stylized traffic monitoring problem. 

A. A Differentially Private Kalman Filter 

Consider a set of n linear systems, each with inde- 
pendent dynamics 

Xi.t+i = AiX^t + BiW i<t , t>0, 1 < i < n, (5) 

where Wi is a standard zero-mean Gaussian white noise 
process with covariance E[wi yt Wi y t>] — 6t-t'> an d the 
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Fig. 2. Kalman filtering set-up. 



initial condition Xi t o is a Gaussian random variable with 
mean x^q, independent of the noise process iWj. System 
i, for 1 < i < n, sends measurements 



Ui,t = CiX i:t + DiW it t 



(6) 



to a data aggregator. We assume for simplicity that the 
matrices Di are full row rank, and that BiDf = 0, i.e., 
the process and measurement noises are uncorrelated. 

The data aggregator aims at releasing a signal that 
asymptotically minimizes the minimum mean squared 
error with respect to a linear combination of the individ- 
ual states. That is, the quantity of interest to be estimated 
at each period is z t = Y2%=i ^i x i,u where Li are given 
matrices, and we are looking for a causal estimator z 
constructed from the signals y,, 1 < i < n, solution of 



min lim 

I T-voc 



1 T_1 

f=0 



E [\\zt 



The data Xi t o, A,-, Bi,Ci, Di, Xj, 1 < i < n, are as- 
sumed to be public information. For all 1 < i < n, 
we assume that the pairs (Aj, Ci) are detectable and the 
pairs {Ai, Bi) are stabilizable. In the absence of privacy 
constraint, the optimal estimator is z t — Y^i=i Li%i,t> 
with in provided by the steady-state Kalman filter [14]. 
Figure [2] shows this initial set-up. 

Suppose now that the publicly released estimate z 
should guarantee the differential privacy of the par- 
ticipants. This requires that we first specify an adja- 
cency relation on the appropriate space of datasets. Let 



,,x 



TlT 



and y 



, yn) T denote the 



global state and measurement signals. Assume that the 
mechanism is required to guarantee differential privacy 
with respect to a subset Si :— {ii,-.-,ik} °f me 
coordinates of the state trajectory Xi. Let the matrix Ti 
be the diagonal matrix with [Ti]jj = 1 if j E Si, and 



[Til, 



considered here is 

Ad)g(x,x') iff for some i, \\TiXi — Tix'^2 < Pi, (7) 
(/ — Ti)xi = (I — Ti)x'i, and Xj = x'j for all j ^ i. 

In words, two adjacent global output signals differ by 
the trajectory of a single participant, say i. Moreover, 
for differential privacy guarantees we are constraining 
the range in energy variation in the signal TiXi of 
participant i to be at most pj. Hence, the distribution 
on the released results should be essentially the same 
if a participant's output signal value TiX i to at some 
single specific time to were replaced by Tix\ t with 
\\Ti{xi : t — x[ to )|| < pi, but the privacy guarantee should 
also hold for smaller instantaneous deviations on longer 
segments of trajectory. 

Depending on which signals on Fig. [2] are actually 
published, and similarly to the discussion of Section III 
[B] there are different points at which a privacy induc- 
ing noise can be introduced. First, for the input noise 
injection mechanism, the noise can be added by each 
participant directly to their transmitted measurement 
signal yi. Namely, since for two state trajectories Xi,x'i 
adjacent according to ([7jl we have for the corresponding 
measured signals 

differential privacy can be guaranteed if participant i 
adds to yi a white Gaussian noise with covariance 
matrix k(S, e) 2 pfa^^CiT^Ip., where pi is the dimen- 
sion of yij. Note that in this sensitivity computation 
the measurement noise DiWi has the same realization 
independently of the considered variation in Xi. At the 
data aggregator, this additional noise can be taken into 
account in the design of the Kalman filter, since it can 
simply be viewed as an additional measurement noise. 
Again, an important advantage of this mechanism is 
its simplicity of implementation when the participants 
do not trust the data aggregator, since the transmitted 
signals are already differentially private. 

Next, consider the output noise injection mechanism. 
Since we assume that x is public information, the initial 
condition Xi Q of each state estimator is fixed. Consider 
now two state trajectories x, x' , adjacent according to 
and let z, z' be the corresponding estimates pro- 
duced. We have 

z-z' = L i K, i {y l - y'i) = L i K, l C i Ti(x l - x'A, 

th 



otherwise. Hence T,v sets the coordinates of where Id is the i th Kalman filter. Hence \\z- z'\\ 2 < 



a vector v which do not belong to the set . . . , ik} 
to zero. Fix a vector p g R™. The adjacency relation 



•jiPi, where ji is the Hoo norm of the transfer function 
LiK-iCiTi. We thus have the following theorem. 



Theorem 4: A mechanism releasing 

(Y^i=i LilCiyi)+'yK(5, e) v, where v is a standard white 
Gaussian noise independent of {wi}i<i< n , {xi,o}i<i<n, 
and 7 = maxi<j< n {7ipj}, with 7, the norm of 
LiJCtCiTi, is differentially private for the adjacency 
relation (|7J. 

B. Filter Redesign for Stable Systems 

In the case of the output perturbation mechanism, 
one can potentially improve the MSE of the filter with 
respect to the Kalman filter considered in the previous 
subsection. Namely, consider the design of n filters of 
the form 



%i,t+i = Fi%i tt - 



GiUi,t 
- Kiy i t , 



(8) 
(9) 



for 1 < i < n, where Fi,Gi, Hi, Ki are matrices to 
determine. The estimator considered is 



so that each filter output %i should minimize the steady- 
state error variance with and the released 
signal z should guarantee the differential privacy with 
respect to (j7]). Assume first in this section that the 
system matrices Ai are stable, in which case we also 
restrict the filter matrices Fi to be stable. Moreover, we 
only consider the design of full order filters, i.e., the 
dimensions of Fi are greater or equal to those of Ai, 
for all 1 < i < n. Finally, we remove the simplifying 
assumption BiDf = 0. 

Denote the overall state for each system and associ- 
ated filter by J, = [xf,xf] T . The combined dynamics 
from Wi to the estimation error := Zi — Zi can then 
be written 

Xij+i = AiXi tt + BiWi^t 
&%,t = CiXij + DiW ijt , 



where 



Ai 
GiCi 





Fi 



Bi 
GiDi 



C, 



[Li ~ Kid -Hi) , A = -KiDi 



The steady-state MSE for the i estimator is then 
limt^ooE^e^t]. 

In addition, we are interested in designing filters with 
small Hoc norm, in order to minimize the amount of 
noise introduced by the privacy-preserving mechanism, 
which ultimately impacts the overall MSE. Considering 
as in the previous subsection the sensitivity of filter 
i's output to a change from a state trajectory x to an 



adjacent one x' according to and letting Sxi = 
Xi — x'i ~ Ti(xi — x[) — TiSxi, we see that the change 
in the output of filter i follows the dynamics 

Sx ht +i = FiSx ht + GiCSTiSxi 
S2i = HiSxij + KtCiTiSxt. 

Hence the £2 -sensitivity can be measured by the Hoo 
norm of the transfer function 



(10) 



Fi 


GiCiTi 


Hi 


KidTi 



Simply replacing the Kalman filter in Theorem [4] the 
MSE for the output perturbation mechanism guarantee- 
ing (e, (J)-privacy is then 



Y, \\C*( zI - ^r 1 ^ + All! + k{S, ef max {yfp*}, 

L — ' l<i<n 
i=l 



with 7l := \\Hi{sI - F i )~ 1 G i CiTi + K^T^ 



Hence minimizing this MSE leads us to the following 
optimization problem 



mm 

m,X,Fi,Gi,Hi,Ki 



(it + k(6, e) 2 A 
s.t. V 1 < i < n, \\Ci(zI - AA^B, - 



A|| 2 < Mi 



plWH^zI - F i )- 1 G i C i T i + KidTif^ < A. 



(11) 

(12) 
(13) 



Assume without loss of generality that pi > for all i, 
since the privacy constraint for the signal Xi vanishes if 
Pi = 0. The following theorem gives a convex sufficient 
condition in the form of Linear Matrix Inequalities 
(LMIs) guaranteeing that a choice of filter matrices 
Fi,Gi, Hi, Ki satisfies the constraints (|T2j-(jT3j. These 
LMIs can be obtained using the change of variable 
technique described in [15]. 

Theorem 5: The constraints (fT2]i-([T3]>, for some 
1 < i < n, are satisfied if there exists matrices 
W^Yi.Z^Fi.G^HuKi such that Tr(Wi) < p t , and 



the LMIs (14 1, (15i shown next page are satisfied. 

If these conditions are satisfied, one can recover 
admissible filter matrices Fi,Gi, H, Ki by setting 

Gi = Vr l Gi, 



Fi = vr 1 F i zr 1 ur T , 



H 



H i Zr 1 Ur T , 



K, = Ki 



(16) 



where Ui , Vi are any two nonsingular matrices such that 



ViU 



I - YiZ: 



Note that the problem (Hi is also linear in p,i,\. 
These variables can then be minimized subject to the 
LMI constraints of Theorem [5] in order to design a good 
filter trading off estimation error and £ 2 -sensitivity to 
minimize the overall MSE. 
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C. Unstable Systems 

If the dynamics Q are not stable, the linear filter 
design approach presented in the previous paragraph is 
not valid. To handle this case, we can further restrict the 
class of filters. As before we minimize the estimation 
error variance together with the sensitivity measured by 
the T-Loo norm of the filter. Starting from the general 
linear filter dynamics ([8]), d5), we can consider designs 
where Xi is an estimate of xu and set H{ = Li, K\ = 0, 
so that Zi — Liii is an estimate of z< = L t Xi. The error 
dynamics := Xi — ij then satisfies 



e M+ i = (Aj - GiCi)Xi >t - FiX it t + (B. t - GiDi)w i<t . 

Setting = (A* — GiCi) gives an error dynamics 
independent of Xj 

ei , t+ i = (A: ~ (■',(', " ,.< + (Bi - GiD^Wyt, (17) 

and leaves the matrix Gi as the only remaining design 
variable. Note however that the resulting class of filters 
contains the (one-step delayed) Kalman filter. To obtain 
a bounded error, there is an implicit constraint on Gi 
that Ai — GiCi should be stable. 

Now, following the discussion in the previous subsec- 
tion, minimizing the MSE while enforcing differential 
privacy leads to the following optimization problem 

n 

min m + k(S, e) 2 A (18) 

i=l 

s.t. V 1 < i < n. 

\\Li(zI - (Ai - GiCi))- x (Bi - GiDt)\\l < Mi, (19) 
p\\\Li(zI - (Ai - GiCi))~ 1 G l C i Ti\\l < A. (20) 

Again, one can efficiently check a sufficient condition, 
in the form of the LMIs of the following theorem, 



Optimizing over the variables A,,Mi,Gj can then be 
done using semidefinite programming. 

Theorem 6: The constraints (jT9j - (|20j , for some 1 < 
i < n, are satisfied if there exists matrices Y^X^G, 
such that 



Tr(y,Lf Li) < Mi, 
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>- 0, (21) 
y 0, (22) 

^0. (23) 



If these conditions are satisfied, one can recover an 
admissible filter matrice Gi by setting 

Gi = X^ 1 Gi. 

V. A Traffic Monitoring Example 

Consider a simplified description of a traffic moni- 
toring system, inspired by real-world implementations 
and associated privacy concerns as discussed in [2], [16] 
for example. There are n participating vehicles traveling 
on a straight road segment. Vehicle i, for 1 < i < n, 
is represented by its state x^ = [£i.t, £,i,t] T , with £j 
and its position and velocity respectively. This state 
evolves as a second-order system with unknown random 
acceleration inputs 

\T?/2 



1 



%i,t + era 



guaranteeing that the constraints ( 19 1, (20i are satisfied 



where T s is the sampling period, Wi t t is a standard white 
Gaussian noise, and an > 0. Assume for simplicity 



that the noise signals Wj for different vehicles are 
independent. The traffic monitoring service collects GPS 
measurements from the vehicles [2], thus getting noisy 
readings of the positions at the sampling times 

Vi,t = [l 0] + cr i2 [0 1] w i:t , 
with <j L 2 > 0. 

The purpose of the traffic monitoring service is to 
continuously provide an estimate of the traffic flow 
velocity on the road segment, which is approximated 
by releasing at each sampling period an estimate of the 
average velocity of the participating vehicles, i.e., of the 
quantity 



Output Noise Injection + Original KF 



Zt 



1 n 



(24) 



With a larger number of participating vehicles, the sam- 
ple average ( |24| represents the traffic flow velocity more 
accurately. However, while individuals are generally 
interested in the aggregate information provided by such 
a system, e.g., to estimate their commute time, they 
do not wish their individual trajectories to be publicly 
revealed, since these might contain sensitive information 
about their driving behavior, frequently visited locations, 
etc. The privacy mechanism proposed in [2] perturbs 
the GPS traces by dropping 1 out of k measurements at 
each given location (the sampling is event based rather 
than periodic as here). This makes individual trajectory 
tracking potentially harder, but no formal definition of 
privacy is introduced, and hence no quantitative privacy 
guarantee can be provided. 

A. Numerical Example 

We now discuss some differentially private estimators 
introduced above, in the context of this example. All 
individual systems are identical, hence we drop the 
subscript i in the notation. Assume that the selection 

ri o" 



matrix is T = 



Oil 



Oil 




1, and e 



that 



= 100 m, T, = Is, 



ln(3), 5 = 0.05. A single 



Kalman filter denoted JC is designed to provide an 
estimate Xi of each state vector x^ so that in absence 
of privacy constraint the final estimate would be 



= [0 aE^=[° 




Finally, assume that we have n = 200 participants, and 
that their mean initial velocity is 45 km/h. 

In this case, the input noise injection scheme without 
modification of the Kalman filter is essentially unusable 
since its steady-state Root-Mean-Square-Error (RMSE) 
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Fig. 3. Two differentially private average velocity estimates, with n = 
200 users. The Kalman filters are initialized with the same incorrect 
initial mean velocity, in order to evaluate their convergence time. 



is almost 26 km/h. However, modifying the Kalman 
filter to take the privacy inducing noise into account as 
additional measurement noise leads to the best RMSE 
of all the schemes discussed here, of about 0.31 km/h. 
Using the Kalman filter JC with the output noise injection 
scheme leads to an RMSE of 2.41 km/h. Moreover in 
this case ||/C||oo = 0.57 is quite small, and trying to 
balance estimation with sensitivity using the LMI of 
Theorem [6] (by minimizing the MSE while constraining 
the Hoo norm rather than using the objective function 



( fl8| l) only allowed us to reduce this RMSE to 2.31 km/h. 
However, an issue that is not captured in these steady- 
state estimation error measures is that of convergence 
time of the filters. This is illustrated on Fig. [3] which 
shows a trajectory of the average velocity of the par- 
ticipants, together with the estimates produced by the 
input noise injection scheme with compensating Kalman 
filter and the output noise injection scheme following JC. 
Although the RMSE of the first scheme is much better, 
its convergence time of more than 1 min, due to the 
large measurement noise assumed, is much larger. This 
can make this scheme impractical, e.g., if the system 
is supposed to respond quickly to an abrupt change in 
average velocity. 

VI. Conclusion 

We have discussed mechanisms for preserving the 
differential privacy of individual users transmitting mea- 
surements of their state trajectories to a trusted central 
server releasing sanitized filtered outputs based on these 
measurements. Decentralized versions of these mech- 
anisms can in fact be implemented in the absence of 
trusted server by means of cryptographic techniques 



[17]. Further research on privacy issues associated with 
emerging large-scale information processing and con- 
trol systems is critical to encourage their development. 
Moreover, obtaining a better understanding of the design 
trade-offs between privacy or security and performance 
in these systems raises interesting system theoretic ques- 
tions. 
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